Academy hub

From the Field: Internet Access

๐Ÿ”Ž ๐—™๐—ฟ๐—ผ๐—บ ๐˜๐—ต๐—ฒ ๐—™๐—ถ๐—ฒ๐—น๐—ฑ โ€” Real-World Findings from Security Assessments

๐Ÿ’ฅ ๐Ÿฑ๐Ÿณ.๐Ÿญ%ย of infrastructures Iโ€™ve assessed ๐—ฎ๐—น๐—น๐—ผ๐˜„ ๐—ฎ๐—น๐—น ๐˜€๐—ฒ๐—ฟ๐˜ƒ๐—ฒ๐—ฟ๐˜€ ๐˜๐—ผ ๐—ฎ๐—ฐ๐—ฐ๐—ฒ๐˜€๐˜€ ๐˜๐—ต๐—ฒ ๐—ถ๐—ป๐˜๐—ฒ๐—ฟ๐—ป๐—ฒ๐˜ย โ€” without restrictions.

This is surprisingly common โ€” and honestly, hard to understand.

๐—ฌ๐—ฒ๐˜€, ๐˜€๐—ผ๐—บ๐—ฒ ๐˜€๐—ฒ๐—ฟ๐˜ƒ๐—ฒ๐—ฟ๐˜€ ๐—ป๐—ฒ๐—ฒ๐—ฑ ๐—ผ๐˜‚๐˜๐—ฏ๐—ผ๐˜‚๐—ป๐—ฑ ๐—ฎ๐—ฐ๐—ฐ๐—ฒ๐˜€๐˜€ (DNS, Entra ID Connect, WSUS…), but that doesnโ€™t mean all of them should have it โ€” especially not without any filtering.

๐Ÿ’ฃย ๐—™๐˜‚๐—น๐—น ๐—ผ๐˜‚๐˜๐—ฏ๐—ผ๐˜‚๐—ป๐—ฑ ๐—ฎ๐—ฐ๐—ฐ๐—ฒ๐˜€๐˜€ ๐—บ๐—ฎ๐—ธ๐—ฒ๐˜€ ๐—ถ๐˜ ๐˜๐—ฟ๐—ถ๐˜ƒ๐—ถ๐—ฎ๐—น ๐—ณ๐—ผ๐—ฟ ๐—ฎ๐˜๐˜๐—ฎ๐—ฐ๐—ธ๐—ฒ๐—ฟ๐˜€ ๐˜๐—ผ:

๐Ÿ”บ Exfiltrate data

๐Ÿ”บ Connect to C2 infrastructure

๐Ÿ”บ Establish persistent tunnels

On top of that, once admins get used to this level of access, ๐˜๐—ต๐—ฒ๐˜† ๐—ผ๐—ณ๐˜๐—ฒ๐—ป ๐—ฎ๐—ฏ๐˜‚๐˜€๐—ฒ ๐—ถ๐˜ ๐˜๐—ผ ๐—ฑ๐—ผ๐˜„๐—ป๐—น๐—ผ๐—ฎ๐—ฑ ๐˜๐—ผ๐—ผ๐—น๐˜€ ๐—ฎ๐—ป๐—ฑ ๐˜€๐—ฐ๐—ฟ๐—ถ๐—ฝ๐˜๐˜€ directly to critical servers โ€” including domain controllers. Thatโ€™s how mistakes happen (or worse: malware lands).

๐Ÿšซ ๐—•๐—น๐—ผ๐—ฐ๐—ธ ๐—ฎ๐—น๐—น ๐—ผ๐˜‚๐˜๐—ฏ๐—ผ๐˜‚๐—ป๐—ฑ ๐—ฐ๐—ผ๐—บ๐—บ๐˜‚๐—ป๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ฏ๐˜† ๐—ฑ๐—ฒ๐—ณ๐—ฎ๐˜‚๐—น๐˜. Allow only whatโ€™s truly needed.

๐Ÿ—๏ธ ๐—จ๐˜€๐—ฒ ๐—ฉ๐—Ÿ๐—”๐—ก ๐˜€๐—ฒ๐—ด๐—บ๐—ฒ๐—ป๐˜๐—ฎ๐˜๐—ถ๐—ผ๐—ป to slow malware spread and improve infrastructure manageability.

๐—œ๐—ณ ๐˜†๐—ผ๐˜‚’๐—ฟ๐—ฒ ๐˜‚๐—ป๐˜€๐˜‚๐—ฟ๐—ฒ ๐˜„๐—ต๐—ถ๐—ฐ๐—ต ๐—ฝ๐—ผ๐—ฟ๐˜๐˜€ ๐—ฎ๐—ฟ๐—ฒ ๐—ฎ๐—ฐ๐˜๐˜‚๐—ฎ๐—น๐—น๐˜† ๐—ป๐—ฒ๐—ฒ๐—ฑ๐—ฒ๐—ฑ in a secure Windows environment, I created a reference guide to help you:

https://academy.horizon-secured.com/p/ad-network-ports

 

buy a course